idm:DL1 security update

エラータID: AXSA:2024-8493:01

Release date: 
Monday, July 1, 2024 - 17:53
Subject: 
idm:DL1 security update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

Asianux Identity Management (IdM) is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments.

Security Fix(es):

* CVE-2024-2698 freeipa: delegation rules allow a proxy service to impersonate any user to access another target service
* CVE-2024-3183 freeipa: user can obtain a hash of the passwords of all domain users and perform offline brute force

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2024-2698
A vulnerability was found in FreeIPA in how the initial implementation of MS-SFU by MIT Kerberos was missing a condition for granting the "forwardable" flag on S4U2Self tickets. Fixing this mistake required adding a special case for the check_allowed_to_delegate() function: If the target service argument is NULL, then it means the KDC is probing for general constrained delegation rules and not checking a specific S4U2Proxy request. In FreeIPA 4.11.0, the behavior of ipadb_match_acl() was modified to match the changes from upstream MIT Kerberos 1.20. However, a mistake resulting in this mechanism applies in cases where the target service argument is set AND where it is unset. This results in S4U2Proxy requests being accepted regardless of whether or not there is a matching service delegation rule.
CVE-2024-3183
A vulnerability was found in FreeIPA in a way when a Kerberos TGS-REQ is encrypted using the client’s session key. This key is different for each new session, which protects it from brute force attacks. However, the ticket it contains is encrypted using the target principal key directly. For user principals, this key is a hash of a public per-principal randomly-generated salt and the user’s password. If a principal is compromised it means the attacker would be able to retrieve tickets encrypted to any principal, all of them being encrypted by their own key directly. By taking these tickets and salts offline, the attacker could run brute force attacks to find character strings able to decrypt tickets when combined to a principal salt (i.e. find the principal’s password).

Modularity name: "idm"
Stream name: "DL1"

Solution: 

Update packages.

CVEs: 
CVE-2024-2698
A vulnerability was found in FreeIPA in how the initial implementation of MS-SFU by MIT Kerberos was missing a condition for granting the "forwardable" flag on S4U2Self tickets. Fixing this mistake required adding a special case for the check_allowed_to_delegate() function: If the target service argument is NULL, then it means the KDC is probing for general constrained delegation rules and not checking a specific S4U2Proxy request. In FreeIPA 4.11.0, the behavior of ipadb_match_acl() was modified to match the changes from upstream MIT Kerberos 1.20. However, a mistake resulting in this mechanism applies in cases where the target service argument is set AND where it is unset. This results in S4U2Proxy requests being accepted regardless of whether or not there is a matching service delegation rule.
CVE-2024-3183
A vulnerability was found in FreeIPA in a way when a Kerberos TGS-REQ is encrypted using the client’s session key. This key is different for each new session, which protects it from brute force attacks. However, the ticket it contains is encrypted using the target principal key directly. For user principals, this key is a hash of a public per-principal randomly-generated salt and the user’s password. If a principal is compromised it means the attacker would be able to retrieve tickets encrypted to any principal, all of them being encrypted by their own key directly. By taking these tickets and salts offline, the attacker could run brute force attacks to find character strings able to decrypt tickets when combined to a principal salt (i.e. find the principal’s password).
Additional Info: 

N/A

Download: 

SRPMS
  1. bind-dyndb-ldap-11.6-5.module+el8+1779+20dc2428.ML.2.src.rpm
    MD5: 03f4a161d74e9dd3e05b505806c5cb1c
    SHA-256: 08a982af0be081bc5d6ee12b3adaecb02d21e5aefe5048fd7fc44b51cda271d9
    Size: 370.61 kB
  2. custodia-0.6.0-3.module+el8+1779+20dc2428.src.rpm
    MD5: f6493fa544b97d753387a745c0c9c880
    SHA-256: b39288f842e0c887505d4c324db4c25a94fe883c76468cbc3545623a8c96f667
    Size: 144.66 kB
  3. ipa-healthcheck-0.12-3.module+el8+1779+20dc2428.src.rpm
    MD5: e1c8613d01b8fa20e2ed446ff8f78fcc
    SHA-256: dc25decffbc4932018cfaa8e32b96931833a72e10375e68e68dbcd1a751343bb
    Size: 130.65 kB
  4. ipa-4.9.13-10.module+el8+1779+20dc2428.src.rpm
    MD5: 0d5601a161a4c8738c2f3c03761d3f30
    SHA-256: ee422e7a48bbb5fd1ab4daa050ae9723003e01e607c804a3327fe1baea805ad6
    Size: 13.16 MB
  5. opendnssec-2.1.7-1.module+el8+1779+20dc2428.src.rpm
    MD5: 1bbc2458e4c5ccfbebdc3f8723712dc2
    SHA-256: c08cf62640df6d01fe5e351155057ff91b106250fdccd2dbaa2acd4c8951712d
    Size: 1.09 MB
  6. python-jwcrypto-0.5.0-2.module+el8+1779+20dc2428.src.rpm
    MD5: 87c6e9e137579dad120d0ec79e0a0cdd
    SHA-256: b65d301825087b57b603894945b132afbd9b2a4b032da06d8ebdc76bc51d4b83
    Size: 79.63 kB
  7. python-kdcproxy-0.4-5.module+el8+1779+20dc2428.src.rpm
    MD5: efd40bb3aaf8f5406b6834a488fd80df
    SHA-256: 8ae598b1cecdda99880164ab199537c52b5ad64816463b6520a322d521d68825
    Size: 36.22 kB
  8. python-qrcode-5.1-12.module+el8+1779+20dc2428.src.rpm
    MD5: 280b6459165a8c9f218dbc1cc55bfa64
    SHA-256: e66cbaad605c3b2ffd584dc6e8859dcff18a583f484d89cb2adc426a310568f0
    Size: 33.36 kB
  9. python-yubico-1.3.2-9.1.module+el8+1779+20dc2428.src.rpm
    MD5: de84d37b04359fe6afe2c08abfa99942
    SHA-256: fb4e035aac19c7f9ee4a4b06a36a644c6eed8e290f5dee104b00075893918424
    Size: 50.84 kB
  10. pyusb-1.0.0-9.1.module+el8+1779+20dc2428.src.rpm
    MD5: 7320d375f95c2f20777c5f2e692587c4
    SHA-256: 294dcb78f2592f27e923f557248ca34c2ecec123e07757e6d1c428828a4ee918
    Size: 78.96 kB
  11. slapi-nis-0.60.0-4.module+el8+1779+20dc2428.ML.1.src.rpm
    MD5: c23864bd22170890c8f4b3e7552c0915
    SHA-256: 6284efc0c35cff6ca95c7f9c9738a3f3d20a60ec3ca8cf56d0cce5796bf7278b
    Size: 646.84 kB
  12. softhsm-2.6.0-5.module+el8+1779+20dc2428.src.rpm
    MD5: 4fe385d67277153d37a3f65ae37edac2
    SHA-256: 8706f96bd91f28e9dca0cb1a825bd7cc37fba95206c3a0a6c53fdfed399468e2
    Size: 1.03 MB

Asianux Server 8 for x86_64
  1. bind-dyndb-ldap-11.6-5.module+el8+1779+20dc2428.ML.2.x86_64.rpm
    MD5: 40ecb0af8bfffe008ea6c74ab15207a7
    SHA-256: 83677e837f414579139fcedcc09c4e39955ef2a79a0fbf2241e56982437938e7
    Size: 127.27 kB
  2. bind-dyndb-ldap-debugsource-11.6-5.module+el8+1779+20dc2428.ML.2.x86_64.rpm
    MD5: ef497d095524ac16bef341f1ac5ab343
    SHA-256: b7d49a96d0ff8c8b742356be77a2cadfea781b5e4c8b04e6a0b68b451ef5c02e
    Size: 114.73 kB
  3. custodia-0.6.0-3.module+el8+1779+20dc2428.noarch.rpm
    MD5: 3c01bf5aa1acfd38004cfcfde6e091a8
    SHA-256: d16f9a564590d3b287e919e5a463a1c2b07179d50c1ffa29f74d777abac64a2a
    Size: 32.29 kB
  4. ipa-client-4.9.13-10.module+el8+1779+20dc2428.x86_64.rpm
    MD5: c989ba26b6b9953f624dcc07a41b9871
    SHA-256: 67ddfdaf659025e438c64a8e32e91de9daa7d4eec82c1ab307fe9359fd003d45
    Size: 291.37 kB
  5. ipa-client-common-4.9.13-10.module+el8+1779+20dc2428.noarch.rpm
    MD5: 4c1d8929cb40e90d6500759d651fc2e5
    SHA-256: e976f438bac25fdaabd68a17f2114d9bc8f62410999a5fa9fdaa6676370a227d
    Size: 192.72 kB
  6. ipa-client-epn-4.9.13-10.module+el8+1779+20dc2428.x86_64.rpm
    MD5: 89f7233d093c14650193fccf95a2b25f
    SHA-256: f54b4c03c404470e41507ba2f227d643b5aacbf292b901c12b92140abc875ff9
    Size: 190.80 kB
  7. ipa-client-samba-4.9.13-10.module+el8+1779+20dc2428.x86_64.rpm
    MD5: 92bfef91695cbe8453fe8879bc18cd0c
    SHA-256: d3d80806ec7ad53c46480669f9830c0b7502fa04d90f270abd417228de027459
    Size: 186.34 kB
  8. ipa-common-4.9.13-10.module+el8+1779+20dc2428.noarch.rpm
    MD5: a7339b2fe9f05f4d1922c641fcec83bf
    SHA-256: 4a1195ee13cac32ae4531e6ae53512421a7fddbb7d234d27d6625685123ab23d
    Size: 800.72 kB
  9. ipa-debugsource-4.9.13-10.module+el8+1779+20dc2428.x86_64.rpm
    MD5: f11789beff7f00cafd8fa2969acfd523
    SHA-256: c2c1d8aa411617b6f9f4b546ad50c2f6cfc1b98c9a6fad7e75c91570419676f3
    Size: 510.10 kB
  10. ipa-healthcheck-0.12-3.module+el8+1779+20dc2428.noarch.rpm
    MD5: 04d903fade3efef3472ec85166f89157
    SHA-256: fe1375471ef8c89d6cab2f45592d5b31b098759d633dba65f44f7d32c225e8f1
    Size: 113.20 kB
  11. ipa-healthcheck-core-0.12-3.module+el8+1779+20dc2428.noarch.rpm
    MD5: fe8db2ad37b57f8ba0bcde6beacd8cae
    SHA-256: 9b0f93c06de2191513b84b915c6e2cb6363e461cb3300df72a8b4a361282d8a1
    Size: 58.89 kB
  12. ipa-python-compat-4.9.13-10.module+el8+1779+20dc2428.noarch.rpm
    MD5: 704811b41f2256775f08319e4b783eb8
    SHA-256: 19a9f5f71464c6fa018bb0395dc3774e49021c7a5f297f3f6eca2e9ac8941cc2
    Size: 184.15 kB
  13. ipa-selinux-4.9.13-10.module+el8+1779+20dc2428.noarch.rpm
    MD5: bc1544f2f7821bab2bb9edd5231d3d94
    SHA-256: 2b568caeb05262bd0c87dcc029dcdadfbf6ce3abc81d1e11c2b73c72f1d92ad8
    Size: 184.65 kB
  14. ipa-server-4.9.13-10.module+el8+1779+20dc2428.x86_64.rpm
    MD5: b90673042663af7fda07d8a1b51c8f82
    SHA-256: 8c41b7384a401ef4f00de6ca56922fb545982e6bd2adff2038560f4de7766da6
    Size: 555.08 kB
  15. ipa-server-common-4.9.13-10.module+el8+1779+20dc2428.noarch.rpm
    MD5: 26436665ad8981cb0c854aebfa3304cd
    SHA-256: 488f7ae9d4c8cac0ee9a18d24964a69da10bef9e90ff2f9173c7b4ccca4d0b79
    Size: 625.70 kB
  16. ipa-server-dns-4.9.13-10.module+el8+1779+20dc2428.noarch.rpm
    MD5: b42f6f383a33ac7bdcd6e2fb132bce1b
    SHA-256: 61a64fce5bc63106ad4716ddc317a567ef32e7250331bc9f77e6f134ae7ef4ee
    Size: 200.36 kB
  17. ipa-server-trust-ad-4.9.13-10.module+el8+1779+20dc2428.x86_64.rpm
    MD5: fdd0292835f22fd0caea7dea6080ee69
    SHA-256: 448f022792adbc3b23118789940c40c2722a97242fce1b4f4f36b7179c2706e0
    Size: 298.00 kB
  18. opendnssec-2.1.7-1.module+el8+1779+20dc2428.x86_64.rpm
    MD5: 5937279d34fa2e5334b0d242c5ec003c
    SHA-256: 6bf0ea295eec4d7e70375fea1682630e62cfb44010f491d4af228c7b6e13ef2b
    Size: 472.25 kB
  19. opendnssec-debugsource-2.1.7-1.module+el8+1779+20dc2428.x86_64.rpm
    MD5: 804cba118e71458a5d45c9166b9abdbf
    SHA-256: 64b46405a2a6d500ccaa26d2ddd68e45ed2c8f6ea67046ea3c730463603dffef
    Size: 405.93 kB
  20. python3-custodia-0.6.0-3.module+el8+1779+20dc2428.noarch.rpm
    MD5: 229dce8e1b5a96845782695139080ae1
    SHA-256: fdb7567926a7bce5f5de824503b248075da2ad7b27b9f6c986d963e29b813398
    Size: 120.31 kB
  21. python3-ipaclient-4.9.13-10.module+el8+1779+20dc2428.noarch.rpm
    MD5: 2064fa856bc96f262a3eb29637ec7c20
    SHA-256: ad777c7bb04c881e61e7a45f732bf9db12581807c7874704d6369505b4f07dad
    Size: 693.88 kB
  22. python3-ipalib-4.9.13-10.module+el8+1779+20dc2428.noarch.rpm
    MD5: 17f971fd78bfe2461ac68c58e385c86b
    SHA-256: f6fc7cc3404155421647ab49bd25c5b42881ff7b5dea6c21afe140b985c1a680
    Size: 768.73 kB
  23. python3-ipaserver-4.9.13-10.module+el8+1779+20dc2428.noarch.rpm
    MD5: 2f055cdb83af2794e8a78a4d4d18e066
    SHA-256: 9f96adb69db401aebc76a4e4c0cdd4d9036332176695aeb380a942ab86623e1b
    Size: 1.66 MB
  24. python3-ipatests-4.9.13-10.module+el8+1779+20dc2428.noarch.rpm
    MD5: 6c7f2debe081187bc13e3a346b6bf48a
    SHA-256: 0f7cc9a09039b186e9d40a1aefe47620135566977688d68b089a43231b490e25
    Size: 1.73 MB
  25. python3-jwcrypto-0.5.0-2.module+el8+1779+20dc2428.noarch.rpm
    MD5: b3125ec7e084c2a04c5e916aceb8410a
    SHA-256: 9003c3231f068a1ee5b1fcec2304ac789a23c190117f764fce9bb27af2897352
    Size: 64.91 kB
  26. python3-kdcproxy-0.4-5.module+el8+1779+20dc2428.noarch.rpm
    MD5: d4edf877430a3a548819ed43f0f3445a
    SHA-256: 8c2bc151010cb8514817caba91f7710baa8d2c08a496fe2b7923f2993a1fc995
    Size: 37.94 kB
  27. python3-pyusb-1.0.0-9.1.module+el8+1779+20dc2428.noarch.rpm
    MD5: 103d7caea88522708c5b66771a57e711
    SHA-256: 0b2b9ca6e34dbb6d88bf693357e110cbcd8c518a0e028030d7b8f3f037039925
    Size: 86.86 kB
  28. python3-qrcode-5.1-12.module+el8+1779+20dc2428.noarch.rpm
    MD5: 8fd195cf4758d929b0ec4e819ff3c6b9
    SHA-256: 0b060b2d636d2c2ad1f253946331cfc3c4adf5c58e9ae3e92e1e5c5811fb1907
    Size: 16.32 kB
  29. python3-qrcode-core-5.1-12.module+el8+1779+20dc2428.noarch.rpm
    MD5: 03962c45d435394fe62d4a923bf556e4
    SHA-256: b5a2953d31a1c661229a491fb445ad50ff1ef90ac38c2fbc8946784bfe4e7887
    Size: 44.43 kB
  30. python3-yubico-1.3.2-9.1.module+el8+1779+20dc2428.noarch.rpm
    MD5: 1a2cdd6c897c3c9fa3c43655c2a2696b
    SHA-256: d9f1b276c415f18df9d37e5addeb4a14e79ce91064dc49848069b70d08a07ec1
    Size: 62.22 kB
  31. slapi-nis-0.60.0-4.module+el8+1779+20dc2428.ML.1.x86_64.rpm
    MD5: f2fe84772f49eca11faa580e39ea9ed0
    SHA-256: 700c1d34fbe3f23510e72ae018fa3bd055777061aa1eb257cb3e9270b2b59295
    Size: 159.70 kB
  32. slapi-nis-debugsource-0.60.0-4.module+el8+1779+20dc2428.ML.1.x86_64.rpm
    MD5: 379b01b6d0ae9594c65715ce523072de
    SHA-256: be060136db1c41069454a2b304ab45de73999723f6d511202de7e1e83f92638f
    Size: 135.21 kB
  33. softhsm-2.6.0-5.module+el8+1779+20dc2428.x86_64.rpm
    MD5: c684764357cc381164f2939bc012c9a9
    SHA-256: 44965a00b8a48f682e7f4a0fae728d27aadcc76dc3e94e93c291668b1461ad8c
    Size: 429.74 kB
  34. softhsm-debugsource-2.6.0-5.module+el8+1779+20dc2428.x86_64.rpm
    MD5: 01a1d11a6277d41f95c47304b0f1b18f
    SHA-256: fcdb805fe99c690c05490c07c18a92d84d182c67a0e6f86fe9598c71f0b369f0
    Size: 203.52 kB
  35. softhsm-devel-2.6.0-5.module+el8+1779+20dc2428.x86_64.rpm
    MD5: c2041c9150f73772d1cffdaa9d719dfe
    SHA-256: 6bb9c490c3c235ea743e70f55cd1abe320d5f366c5874c1dfd73350d45ce6312
    Size: 20.48 kB